As Crawford correctly noted we have been responding to all security alerts in 2009 and will continue to do so.

When an alert comes in I am normally taking the initiative to get the problem characterized. I have been adjusting the team a couple of times during 2009. It is essential that people on the time are responsive and help with both evaluation, decisions and fixing. People who have not been able to be active in a period have been gently removed from the team and new have been added.

It is essential to understand that the security mailing list is only for the active security team members. You can not join the mailing list just to get early warnings about security issues. For a security team to be efficient and able to keep things secret it must be limited to a need-to-know based group.

I believe the current team has the right size. I will continue to dynamically adjust the team members so we have the right mix of skills and people who in this period of their lives have the time to prioritize urgent fixes in our code.

Remember that it is the responsibility of the entire development community to write code with security in mind and to prevent escaped security issues to reach the attackers before our users have had the time to patch their installations.

We often see people (non developers) trying to join the security mailing list. They misunderstand the purpose and think it is an announcement mailing list. To those that admin the mailing lists, let me take care of them. I send them a friendly No with a guidance to join the announcement mailing list instead.

I want to thank the development community for the incredible focus we have had on security in 2009. Foswiki has significantly raised the bar from a security perspective.

This team is in need of a new team lead as Kenneth hasn't been seen on the project for a long time. Kenneth, are you still available? Or anybody else on the list: please step forward to take the lead. Thanks.